Category Started On Completed On Duration Cuckoo Version
FILE 2016-11-06 21:49:54.040402 2016-11-06 21:55:59.397191 365 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
windowsxp1 windowsxp1 VirtualBox 2016-11-06 21:52:48 2016-11-06 21:55:59

File Details

File name ticket_432247.doc
File size 162816 bytes
File type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Title: , Author: Laura, Template: Normal.dot, Last Saved By: Windows, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Wed Oct 19 14:33:00 2016, Last Saved Time/Date: Wed Oct 19 14:34:00 2016, Number of Pages: 1, Number of Words: 0, Number of Characters: 2, Security: 0
CRC32 28E780BB
MD5 543c0cf636bc0e56007e6211cd05ecf2
SHA1 400cb9f479fd5ab09aa895245e16ba999ce5142e
SHA256 3ea894203c48d37b73ce9202dec7eedbf1c724b707f7de058e42c18c3e55bd49
SHA512 909f4c09ee15da781a6405f806d5172d3a3e6f3e84d5e40df7b79885ffd76df989f44cae2587d3bb584af5e864280eebf70c0c2b9cc6edbe50dcfec7f316f330
Ssdeep 3072:TPzjPz+GMPyhgY0u7X6P2ab+PA5dIJ064tSk9qAERSEj7RdM+:TXzhgFPHasuJkQRLldM+
PEiD None matched
Yara None matched
VirusTotal Permalink
VirusTotal Scan Date: 2016-11-03 16:50:00
Detection Rate: 36/55 (Expand)

Signatures

No signatures matched

Screenshots

Static Analysis

Strings

Dropped Files

a1272deb82ce95c1_ge443.exe

b27b98df298e685e_~$cket_432247.doc

4826c0d860af884d_~wrs{62607051-bd4c-4c72-ae75-da471cbd93ee}.tmp

7d3ce07f89e0f4b8_msforms.exd

Network Analysis

Nothing to display.

Behavior Summary

File-Written
  • C:\Documents and Settings\Administrator\Local Settings\Temp\VBE\MSForms.exd
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{62607051-BD4C-4C72-AE75-DA471CBD93EE}.tmp
  • C:\Documents and Settings\Administrator\Local Settings\Temp\~$cket_432247.doc
  • C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\~$Normal.dotm
  • C:\Documents and Settings\Administrator\Local Settings\Temp\ge443.exe
  • \\?\PIPE\lsarpc
File-Deleted
File-Opened
  • C:\
  • C:\Program Files\Microsoft Office\Office12\MSWORD.OLB
  • C:\WINDOWS\system32\spool\drivers\color\sRGB Color Space Profile.icm
  • C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Word12.pip
  • C:\Program Files\Microsoft Office\Office12\ID_00030.DPC
  • C:\Documents and Settings\Administrator\Application Data\Microsoft\
  • C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\OPA12.BAK
  • C:\WINDOWS\system32\FM20.DLL
  • C:\WINDOWS\system32\MSCTFIME.IME
  • C:\WINDOWS\system32\shell32.dll
  • C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6EXT.OLB
  • C:\Documents and Settings\Administrator\Local Settings\Temp\
  • C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Cultures\OFFICE.ODF
  • \\?\PIPE\lsarpc
  • C:\Documents and Settings\Administrator\Local Settings\Temp\VBE\
  • C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSO.DLL
  • C:\Documents and Settings\All Users\Documents\desktop.ini
  • C:\Program Files\Microsoft Office\Office12\
  • C:\Program Files\Microsoft Office\Office12\STARTUP\
  • C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa12.dat
  • C:\Documents and Settings\Administrator\
  • C:\WINDOWS\system32\imm32.dll
  • C:\WINDOWS\system32\stdole2.tlb
  • C:\WINDOWS\system32\MSIMTF.dll
  • C:\WINDOWS\system32\
  • C:\Documents and Settings\
  • C:\Documents and Settings\Administrator\Local Settings\
  • C:\Documents and Settings\Administrator\Application Data\desktop.ini
  • C:\Program Files\
  • C:\Documents and Settings\Administrator\Local Settings\Temp\VBE\MSForms.exd
  • C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\Normal.dotm
  • C:\Documents and Settings\All Users\
  • C:\Documents and Settings\Administrator\Application Data\
  • C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\
  • C:\Documents and Settings\Administrator\Local Settings\Temp\ticket_432247.doc
  • C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll
  • C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6.DLL
  • C:\Documents and Settings\Administrator\My Documents\desktop.ini
  • C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Office\
  • C:\Documents and Settings\Administrator\Application Data\Microsoft\Forms\WINWORD.box
  • C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\STARTUP\
File-Moved
  • ->
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

Processes

registry filesystem process services network synchronization

lsass.exe PID: 644, Parent PID: 588

WINWORD.EXE PID: 1684, Parent PID: 1060

ge443.exe PID: 308, Parent PID: 1684

ge443.exe PID: 396, Parent PID: 308

Volatility

Nothing to display.